It’s all about tracking...
ISO, SOC2, HIPAA, GDPR and other regulations are all in essence the same. For you, it means you need to:
• Create policies and procedures relevant to your organization
• Make sure your team is trained and aware of these policies
• Set the required controls to assure ongoing compliance
From this point and on…track. Track and document everything. Track and document what you did, track and document what happened, track and document what went wrong, track, track, track and document it all. Having a backlog of your activity will help you understand the status of each task, and demonstrate your compliance when you need to go through an external audit.
It is one thing to have policies in place, but it’s a totally different thing to make sure they are consistently updated, and that these polices are being adhered to.
When it comes to compliance, the best way to ensure that your team acts according to the policies, is to put in place a trigger for each process, which once activated, enables the following steps to be completed by all relevant stakeholders in this process, with a clear who’s-doing-what list.
A simple example is the process of onboarding a new employee.
The trigger would be: someone within the organization (in this case, typically someone from the HR department), needs to announce that there is a new employee recruited.
The list of actions (according to the HR policy) would be something like this:
• IT/Security - Order and setup/prepare a new computer, create an email address, create a unique username and assign the relevant permissions in the Active Directory
• Admin – Allocate a seat, allocate a parking spot, get a picture of the employee, issue an employee card
• HR– Receive and archive the signed offer including the NDA, training, plus have the employee review the company training materials, meet management team, etc.
How do we make it happen, and how can we track this action items list, to make sure it is completed for this new employee? And for the next one? And for all future employees? Did someone say track?
A simple way would be to open a tracking sheet for this process, make it available for all the relevant “players”, and give them a simple way to collaborate around this process status. It could look like this:
This is a board called “New employee onboard”, created with monday.com project management tool.
Subscribed to the board are the people from HR, IT and the Admin department. They will all get notifications for every change made in this board.
The trigger can be the creation of a new column when a new employee accepts an offer, and add the employee details. All the subscribers will get a notice, and will be able to start working on their task and update the status – so all the other “players” will see the status. With online notifications and a visual picture of the process status, tracking becomes easy.
In a very similar way we could track almost everything. Let’s look at few common processes required by most of the regulations.
Periodical review of the company policy. Policies are not a one-time effort. Policies need to be reviewed once in a while, to make sure they are still relevant, accurate, and should be revised when relevant. A tracking board could look like this:
"...from this point and on…track. Track and document everything. Track, track, track and document it all..."
Another good example of a process that needs to be tracked is the risk assessment. A risk assessment process should be conducted periodically. The outcomes should be discussed with the senior management team, addressed accordingly and then… documented and tracked. A risk assessment board could look like this:
An access and permissions survey for IT systems should be made periodically to ensure access is provided only to those who need it, and privileges are assigned only to Admin. There are lots of other important IT related things that we may want to track. For example: :
• Are we sharing PII (Personal Identifier Information) through this system? And if so, do we have a data processing agreement in place (as required by the GDPR)
• Who’s the system owner/admin?
• When was the last time we've reviewed the user access rights?
The board could look like this:
We also may want to consolidate relevant information, documents, mail correspondence, and other things. The system includes an “update” area in which all the users subscribed to the board, can add updates, mention other users, reply etc.
With a smart use of the board's abilities, combined with the updates feed, tracking is simple and easy. With regards to security management and compliance with regulations like ISO, SOC2, HIPAA and GDPR, such powerful boards can be very helpful to succeed with self audit or external certification, and to make sure the organization is complying with the requirements.